GDPR, now what? Experiences from Italy

The General Data Protection Regulation (GDPR) n°2016/679 introduced numerous innovations regarding the processing of personal data. Among these, great interest was raised by the obligation, for the Data Controller, to carry out in certain cases an assessment of the impact that the treatments could have on data protection.

The WP29 adopted specific guidelines on the subject, recently followed by a provision of the CNIL (the French data protection authority).

The difficult interpretation of the rule in Regulation has in fact necessitated some interventions aimed at identifying the concrete cases in which the application is required.

In an attempt to clarify the point, the Italian Control Authority has published, in the provision 467/2018, a list of the types of treatments to be evaluated in terms of impact but susceptible to further modifications or additions also on the basis of the results found in the first phase of application of the GDPR.

In the same provision, the Italian Control Authority specifically indicates the type of treatments that must be subject to an impact of assessment:


  • Treatment involving systematic use of data for observation, monitoring or control of data subjects (including web services, interactive TV, etc.) in comparison to the types of usage and the vision data (also for reasons of technological upgrades and improvement of networks);
  • Treatment carried out through use of innovative technologies (for example on-line voice assistants, monitoring performed by wearable devices, proximity tracking such as wi-fi tracking);
  • Treatment carried out by combining or comparing information, including the crossover of consumption data of digital goods with payment data (for example mobile payment systems);
  • Treatment carried out, in labour relations, via video surveillance or geo-localization systems that allow remote control of employees activities;
  • Treatment that involves the exchange between data controller on a large scale with IT tools (for example the transmission of data between Public Authorities for the fulfillment of legal obligation);
  • Treatment that enables the data subjects, automatically and without human intervention, from exercising a right or using goods or services (for example the screening of bank customers through the use of data recorded in Risk’s Bureau);
  • Treatment that involves a large scale evaluation or profiling of data subjects, made also online or through app;
  • The large-scale processing of data concerning the exercise of a basic and fundamental right (such as location data, whose collection affects the freedom of movement) or which have a serious impact on life of the data subjects (such as financial data that could be used to commit fraud);
  • The treatment of particular categories of data (suitable for revealing personal opinion, ethnic origin or religious belief) or data relating to crimes and criminal convictions;
  • The systematic treatment of biometric and genetic and non – occasional data concerning the most vulnerable categories, such as children, the disabled, the elderly and the legally insane, for example for hospital activities.


The indications given by the Authority with the provision, even though they are provisional, represent an important step forward in the development of full and complete compliance with the GDPR, whose real value can be assessed on the basis of the various feedback provided by an effective application.

Niccolò Lasorsa BorgomaneriStudio Legale Marsaglia – Milan, Italy

Andrea PalumboStudio Legale Marsaglia – Milan, Italy


Read more:

GDPR in Canada

GDPR in France

GDPR in Germany